1. Field of the Invention
The invention pertains to portable integrated circuit cards, also known as chip cards. More particularly, it pertains to cards that have both a memory and a microprocessor to perform application programs contained in the memory. For example, an application program may be a monetary transaction program for a card designed for a banking application.
2. Description of the Prior Art
The general architecture of an integrated circuit chip contained in the card is most usually of the type shown in FIG. 1. The microprocessor is designated by the reference CPU and it is connected to a linking bus, which is furthermore connected to the memories of the card. These memories may be of different types and, most usually, memories of different types are present simultaneously in the integrated circuit. In particular, there may be a read-only memory (ROM) referenced MSYS to contain in particular the fixed programs constituting the general operating systems of the card, a non-volatile memory MU, an electrically programmable memory (EPROM) and possibly an electrically erasable programmable memory (EEPROM) to contain for example application programs and data elements to be kept from one session of use to another, and finally a volatile working memory (RAM) referenced MT containing data elements and portions of programs that are useful during the performance (i.e., execution) of the application programs but are not kept when the card is not used. (Herein, the terms "perform" and "execute" are used interchangeably.)
The integrated circuit also has a communications circuit COM for communications (generally serial communications) between the microprocessor and an input/output terminal I/O of the integrated circuit with a view to exchanges with the exterior of the chip card. The other terminals of the integrated circuit may, in a standard way, be supply terminals (VCC, GND), a clock terminal (CLK), a reset terminal (RST), etc. The functions of the terminals present depend on the communications protocols used.
The general architecture of the integrated circuit may also comprise safety devices DS.
The different memories may, under certain conditions indicated here below, be accessible through the microprocessor CPU to perform the following operations:
the reading of the contents of a determined address, PA1 writing at a determined address, PA1 the performance, by the microprocessor of the card, of an instruction contained at a determined address.
The read-only memory MSYS may be called a system memory in view of the basic operation programs that it contains. These are programs that all the application programs must make use of so that the card may function. This is the central software core of the card. It is fixed and this is why it is made by means of a non-modifiable read-only memory technology. The information elements and programs that it contains are of a confidential type (usually, the manufacturer of the chip does not wish the programs of the card operating system to be known). This memory therefore is not at all accessible in write mode and it is desirable that it should not be accessible in read mode either. It is of course accessible for the performance of instructions.
The non-volatile memory MU contains data elements and programs that are modifiable. It may be called a "user memory" because it contains specific data and specific programs of an application that concerns the user. However the data elements that it contains are confidential in varying degrees and this is why it is most usually sought to divide this memory into zones with varying degrees of reserved access: these may be zones that are accessible in write mode but not in read mode or accessible in read mode but not in write mode or again zones that are completely accessible or completely inaccessible. Furthermore, certain zones have to be capable of containing program instructions that can be performed by the microprocessor of the card while other zones should not be capable of containing such instructions.
The working memory MT contains temporary data elements which may result from the performance of the programs of the operating system or of the application programs. As a general rule, all the zones of the working memory are accessible in read mode, write mode or execution.
The different memories of the chip card therefore require access clearance that is different from one memory to another.
To check the different access clearances, certain chip card circuits are fitted out with a "security matrix". This is a protection circuit that controls access to such and such a zone of a memory as a function of the operation requested (reading, writing, performance of an instruction). This circuit receives the address at which the operation has to be performed and gives a signal to permit or prohibit the performance of the operation requested.
As a general rule, this security matrix prohibits access (for a requested operation) throughout the memory considered, but it is possible to conceive of a case where this matrix is more complicated and prohibits or permits the operation for limited zones of the memory considered. This is becoming increasingly true with the expansion of the sizes of user memories.
The advantage of such a device is that it prohibits the reading of an operating system (developed by the manufacturer of the card) by means of an application program that is being performed in the user memory MU (a program developed by a manager of an application: for example a bank in the case of a bank card). Similarly, it is possible to prohibit the reading by the user of programs developed by the manager of the application.
The safety matrix, when it exists, has the drawback of being fixed once and for all. If this were not the case, there would be the risk that the access prohibition that it sets up might be evaded.
It will be noted that there is no zone, in the working memory MT, reserved for the requirements of the operating systems and no zone reserved for the requirements of the application programs: the working memory contains mixed data elements coming from both types of program. This is a drawback for the safety of the data elements of the operating system.
Furthermore, circuits not fitted out with a safety matrix are flimsy against ill-intentioned encroachment. The reading of the contents of the read-only memory (operating system) can be done before the step of the customization of the card with personal application data elements if major precautions have not been taken. For it is enough, at this stage, to place a program in the user memory for the methodical reading of the contents of the read-only memory and for the transfer of these contents out of the circuit.
At present, the operating systems form a set of processing operations that are dedicated to certain applications (for example banking cards or radiotelephone cards) and have the function of facilitating the development as well as the performance of specific application programs. The designers of these application programs (who are increasingly numerous) have increasingly stringent requirements as regards the functions of the card. It is then necessary to develop the desired functions around a fixed operating system. These functions are placed in a user memory. The programs that provide these functions are functional additions to the basic system and must not interfere with the structures of data elements managed by the operating system.
Specific developments in the future will probably require the increasingly greater flexibility of operating systems, a clear distinction between operating systems and application programs and the adaptable and efficient protection of the programs and of the data elements proper to each program.